Study: Attacks on package managers

That is the wrong approach.  You are suggesting there should be verification so that only
trustworthy people (by some measure) can set up a mirror site.  But it will always be possible
for bad guys to slip through the net.  Even the US nuclear weapons programme, with the
strictest possible vetting of participants, contained spies.

And even a well-meaning mirror site can be taken over by an attacker.

Better to make sure the update system is secure so that even with total control of one or more
mirrors an attacker cannot push out bad packages or cause a denial of service for more than a
few minutes.